Fetch Apply is a simple system configuration and management framework designed for transparency, security, efficiency, and auditability. Fetch Apply has many, wonderful advantages over other, similar frameworks... here are just a few:
- Written in Bash
- Fetch Apply is written entirely in Bash: the standard language behind most commandlines. This allows for streamlined management in a language natively supported by most computing environments.
- Small codebase
- Fetch Apply's entire codebase is minuscule—less than a thousand lines long—and powered by a single file. As a result, Fetch Apply is easily user-auditable, and capable of providing simple, yet powerful, system management... something that becomes unrealistic with other tools' large codebases and dependencies.
- Standardized but customizable
- Fetch Apply uses a standardized framework with simple terminology, making it easy to use and eliminating the learning curve. The code is simple and descriptive, meaning that Fetch Apply can be customized to suit your needs in a snap.
- Powered by Git
- Fetch Apply is powered by git, allowing systems administrators (or anyone else, should you choose to use a public repository) to view a complete history of all configurations, changes, and code introduced into their systems, thus improving security and accountability, and making troubleshooting easier than ever.
- Basically agentless... unless you don't want it to be
- Fetch Apply does not require some hefty installation process that involves setting up services, reworking permissions, adding new users, etc. Instead, it takes the form of a simple bash script run periodically via cron. From there, it is your choice as to how "agentless" you would like Fetch Apply to be. You can have it poll a centralized server for new changes and updates consistently... or work quietly without even the need for an internet connection. Fetch Apply molds easily to fit any use case.
To install Fetch Apply on your system, use the following commands to download the installation script, and then run it:
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install
To install Fetch Apply non-interactively, you may supply your installation preferences via any number of commandline arguments, as outlined in the help message:
Fetch Apply Installation Script
Usage:
install [OPTIONS]
Options and Default Values:
--help
Show this help message
--uninstall
Uninstall Fetch Apply
--upgrade
Upgrade Fetch Apply to the latest version
--installation-path=/var/lib
Fetch Apply installation location
--log-file-path=/var/log/fetch-apply.log
Fetch Apply log location
--device-hostname=${DEVICE_HOSTNAME}
Hostname to use
--operations-repository-url=https://source.priveasy.org/Priveasy/server-configurations.git
URL to your operations (Fetch Apply configuration) repository
--operations-repository-branch=main
Branch of the operations repository to use
--crontab-entry="0 0 * * *"
Crontab entry indicating how often to run Fetch Apply; the default is to run
Fetch Apply once every 24 hours, at a random time generated during installation
A non-interactive installation example:
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --operations-git-url=https://example.com/MyAccount/MyOperationsRepository.git --server-hostname=myServer
To upgrade an existing Fetch Apply installation, you can use the following commands to automate the process:
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --upgrade
To uninstall Fetch Apply, use the following commands:
curl https://source.priveasy.org/Priveasy/fetch-apply/raw/branch/main/install -o /tmp/install
sudo bash /tmp/install --uninstall
Running Fetch Apply from start to finish is admittedly a bit complicated, and it may take some time to memorize its intricacies. But, if you're willing to put in the time and effort, I can assure you that it will be worth-while.
Are you ready?
Here's what you need to memorize:
sudo fa
Yup. That's it. If you want to run Fetch Apply manually, just type fa
into your terminal... and you're done! Keep in mind, however, that Fetch Apply is designed to be run automatically by cron
anyways, so you'll likely never even have a reason to run it manually!
When run, fa
will execute a git pull
to grab the latest updates to your operations
repository, and then apply any of the applicable initializers
, modules
, or patches
as outlined therein.
Although Fetch Apply is designed to be simplistic and lightweight, it does also come with quite a few advanced options. These advanced options can be accessed when running the fa
command, or by manipulating the Fetch Apply configuration file.
fa - transparent system configuration and management
Usage:
fa [options] [command]
Options:
--fake Preview a command without actually applying any operations
--force Run even if a pause or run lock is set
--help Show this help message
--no-fetch Don't fetch the inventory before running the command
--quieter Suppress log messages
Commands:
clear-inits Allow completed initializers to run one more time
fetch Update local operations repository by fetching from upstream
list-classes List all classes
list-modules List all modules
list-roles List all roles
pause Set the pause lock to avoid periodic runs while debugging
recover Remove run lock after a failure
reset Reset/clean operations repository to match the remote origin
resume Resume periodic runs after a pause (unset the pause lock)
run <module-name> Run a specific module ad hoc (--force automatically set)
status Display detailed Fetch Apply status information
# Fetch Apply Configuration File
# This file contains global variables used within
# Fetch Apply to modify certain, standard behaviors.
# All possible options, along with their default values,
# are listed within this file.
# Please refrain from removing/renaming any of these variables,
# and maintain proper, Bash syntax at all times.
# Fetch Apply installation location:
fa_var_FA_ROOT=/var/lib/fetch-apply
# Fetch Apply log file path:
fa_var_LOG_FILE_PATH=/var/log/fetch-apply.log
# Fetch Apply maximum log file size (in lines):
fa_var_MAX_LOG_LENGTH=10000
# Operations repository branch to use:
fa_var_OPERATIONS_BRANCH=main
# Allow automatic class assignments:
fa_var_AUTOMATIC_CLASS_ASSIGNMENT=true
# Automatically pull from remote repository with each run:
fa_var_AUTOMATIC_FETCH=true
# Only execute modules/patches/initializers after a change is detected in the remote operations repository:
fa_var_EXECUTE_ON_CHANGE=false
# Only execute modules after they have been modified:
fa_var_EXECUTE_IF_MODIFIED=false
# Ignore errors (pause locks will be honored, but execution will not
# halt for run locks or after any command returns a non-zero exit code):
fa_var_IGNORE_ERRORS=false
Fetch Apply works by fetching the desired system configuration from an "operations" repository of your choosing (public or private), and then applying that configuration to the system on which Fetch Apply is installed.
In order for Fetch Apply to understand your system configuration, you must start with (and maintain) this standard structure:
.
├── classes
├── initializers
├── modules
├── roles
└── variables
Where classes
, initializers
, modules
, and roles
are directories and variables
is a file.
To create this base structure quickly, feel free to run the following command inside of a designated folder (your "operations" repository):
mkdir classes initializers modules roles && touch variables
Special Files are the magic that drives Fetch Apply... and they couldn't be any simpler! A Special File is simply a file named for one of the three Fetch Apply components: initializers
, modules
, and roles
. They contain a list of items of that component type, to apply to the system(s) within the file's scope.
Let's break that down a bit, into some bite-sized points:
- Special Files may only have one of the following names:
initializers
modules
roles
- Special Files are required in the following circumstances:
- All three special files must be in every, single class directory
- Any host directory wishing to supplement or override a Special File in the containing class directory, must also include that type of Special File. If no Special File is found in a host directory, only the class's corresponding Special File will be used.
- Special Files may be left blank if there is nothing to apply, otherwise they must list, one item per line, the items they wish to apply. For example, within a
modules
special file, you may write the following, to apply theapt
,scp
, andufw
modules:
apt
scp
ufw
- Special Files will only affect systems that are part of the same class that the Special Files are located in. This allows you to specify and apply different modules, initializers, and roles to different classes of hosts.
In order to prevent errors and unexpected behavior, Fetch Apply must reserve certain file, directory, function, and variable names for official use only.
Fetch Apply reserves the file and directory names of all Special Files (initializers
, modules
, and roles
) on a global level. This means that no other type of file or directory within your operations repository's should be given the same name as a Special File. If you do give a different file one of the reserved file/directory names, then Fetch Apply may treat it as if it were that Special File, resulting in errors or unexpected behavior. The variables
and classes
file/directory names are also reserved on a global level.
When inside of a class directory, the file/directory name assignments
is reserved, as this file is used to specify manual class assignments.
When inside of a class or host directory, the file/directory name patches
is reserved, as this directory is solely used for distributing patches to the applicable classes/hosts, and all of the directly-contained files will be executed.
When inside of a host directory, the file/directory name override
is reserved, as its existence (or lack thereof) is used as a flag to instruct Fetch Apply to override the class's Special Files with the host's, instead of supplementing them.
When inside of a module, the file/directory name apply
is reserved, as it is a required file that will be executed by Fetch Apply whenever that module is run.
To be clear, reserved files/directories are meant to be created by a user, however they may only be formatted and used in accordance with the Fetch Apply documentation.
Due to limitations with Bash, Fetch Apply must reserve its internal, Bash variable and function names, in order to prevent a user from accidentally redefining a function or reassigning a variable critical to Fetch Apply's proper operation. To make this easy, all variable names used by Fetch Apply begin with fa_var_
, and all function names begin with fa_func_
. Therefore, just make sure that the names of any variables or functions you define in Bash inside of your operations repository don't also begin with fa_var_
or fa_func_
.
In addition to the global variables
file, any directory containing code to be executed should include a variables
file within it. The specific directories that can host a variables
file are:
- The base directory
- Class directories
- Host directories
- Module directories
Fetch Apply will automatically scan those directories and load any applicable variables found within them.
- The
variables
file in the base directory is to be used for storing global variables. - The
variables
file in a class directory is to be used for storing variables that will only apply to systems that belong to that class. - The
variables
file in a host directory is to be used for storing variables that will only apply to that one, specific host. - The
variables
file found in a module directory is to be used for storing variables that will only apply when that one, specific module is run.
All applicable variables will be automatically loaded and be accessible for use within your code (without the need to "source" anything). That means that not only will you have access to the variables stored in the same directory as, say, a specific host, but you will also be able to reference that host's class's variables, as well as the global variables.
In the case that two identical variables are declared, precedence is as follows (from winner to loser):
current_module > hosts > classes > global > previously_run_modules
Classes are used to distinguish between types of systems. Within the classes
directory, you may create specifically-named directories to separate your systems/devices/servers into distinct groups.
Fetch Apply will determine which classes apply by searching for directories within the classes
directory that contain the hostname of the system it's installed on.
For example, let's say that you have the following servers that you need to maintain:
- Webservers
webserver1
new-york-webserver2
Webserver-fallback
- Database Servers
DATABASE-server-1
database2
databasethree
These servers can be easily split-up into the following two categories (classes):
webserver
database
Servers within the webserver
class will likely share similar maintenance tasks, installation procedures, etc. The same applies to the database servers. Therefore, instead of having to re-write code to set up each individual server, we can simply create two classes: webserver
and database
. Any servers falling into the same class will share the same code.
Because each webserver's hostname contains webserver
somewhere within it, and each database server's hostname contains database
somewhere within it, yet no webserver's hostname contains database
within it and no database server's hostname contains webserver
within it, Fetch Apply will automatically identify and associate each server with its correct class. Fetch Apply's automatic class identification is case insensitive.
It is possible to make exceptions to Fetch Apply's automatic class identification by including an assignments
file within a class directory. In this file, you should list, one per line, the hostname of each system to which you would also like the class applied. This will force the class to be applied to any specified hosts, regardless of whether or not their hostname matches with the class name. A host given a specific class assignment will still have any other, applicable classes applied to it, as determined by automatic class detection and assignment. If you wish to disable automatic class detection and assignment, and opt for manually assigning each host to its class(es) via assignments
files within your class directories, you may set fa_var_AUTOMATIC_CLASS_ASSIGNMENT
equal to false
in your Fetch Apply configuration file (located at /etc/fetch-apply
).
While assignments
files are optional, keep in mind that every class directory must contain the following files (although they may be left blank):
initializers
modules
roles
Host directories are contained within a class directory, and are used to supplement a class's initializers
, modules
, roles
, and variables
, for a specific host.
A host directory must be contained within a class directory that applies to the system it is targeting, and the host directory's name must be an exact match to the hostname of the target system.
For the applicable host, all class Special Files will be executed first, followed by the Special Files contained within the host directory. In the event that a Special File is missing from the host directory, only the class's Special File will be executed.
If you wish for host-specific Special Files to override the class's Special Files (as opposed to supplementing them), preventing the class's corresponding Special Files from being run for that host, create a file in the desired host directory named override
. This file may be left blank.
If override mode is set for a host, but no overriding Special File is found in the host directory, the class's Special File will still be run. This allows you to specify only certain Special Files that should be overridden/customized for the specific host, while still allowing the host to use the class's "default" Special Files for any Special Files that have not been included in the host directory. If you simply wish to prevent a class's Special File from being run for a specific host, but do not have any actions that you would like to override it with, create a blank Special File of the same type in the host directory and activate override mode for that host.
To review, every host directory may contain the following files (and they may be left blank):
initializers
modules
override
roles
variables
Initializers are installation/set-up scripts that are designed to be run only once. Their goal is to "initialize" (configure) a system, and will only be executed the first time that Fetch Apply is run on that system.
Initializers are created by adding a file with the desired commands to be run, to the initializers
directory. The name of the file you create within that directory will be the name of the initializer.
To apply an initializer to a class or host, add the name of the initializer (or list one name per line, if assigning multiple initializers) to the initializers
Special File in the desired class or host directory.
Note that all initializers will be executed from the context of the initializers
directory. Therefore, it's possible to create additional, supporting files for that initializer (or better yet, create a single directory within the initializers
directory for each initializer, to contain its supporting files), and then reference them using their relative paths.
Modules are collections of code that share a single, common purpose. Generally, a module will be designated a program or task, and then labeled accordingly. For example, you may have one module to handle firewall rules, another to update the system, and a third to configure a database. If the module will, for the most part, be working with a single program, then the convention is to label the module with that program's name. In this example, the previously-mentioned modules could be named ufw
, apt
, and postgresql
, respectively.
Modules are the only entity containing code/commands designed to be run regularly on your system. By default (unless a different time interval is specified during installation), every module assigned to your system is run once every 24 hours. For this reason, it's usually a good idea to design modules that are idempotent in nature. In other words, modules should work towards maintaining a desired state or configuration, and should be designed to be run more than once without "breaking" anything by doing so. For example, a module might export performance statistics each night, write a configuration file then restart a service, clear cached data, or any other consistent action or maintenance task.
If you have an action that should only be performed once, look into using an initializer or patch instead. If you would like to automate actions that are commonly—but should not be consistently—run, it may still be appropriate to create a module. In this case, avoid applying the module to any hosts, and instead just run it ad hoc as needed.
Modules can be run ad hoc (on demand) by specifying the run
command, followed by the module's name. For example, to run the apt
module ad hoc, the following command would be used:
fa run apt
Please be careful when running modules ad hoc, as running a module ad hoc is seen as a "manual override", and rules that would normally regulate the eligibility of a module to be run will be ignored.
To create a module, make a new directory within your modules
directory. The name you give this directory will be the module's name. Within the new directory you just made, create the required apply
file and the optional variables
file. When your module is to be run, Fetch Apply will load any module-specific variables from the variables
file, if it exists, and then run any code/commands you've written (in Bash) in the apply
file.
Apart from the two reserved files, you may create as many additional, supporting files and directories as you wish within the module's directory. Common supporting files include configuration file templates and custom code. Subdirectories are also frequently used to isolate different versions of the same code, each crafted for a specific operating system or version. Before a modules is run, Fetch Apply first changes the current directory to that of the module, allowing developers to use relative paths in their code.
Remember that the apply
file is the "command center" for your module, and is the only file (other than an included variables
file) that Fetch Apply will run. If you use supporting files, they must be referenced or run from the apply
file.
For example, if you have a Python script that you wish to run as part of the module, make sure to call it from apply
:
python3 python_script_name.py
If you have logic to determine which subdirectory's code to run, it should also be done from within apply
. For example:
if [ "$(lsb_release -rs)" == "22.04" ]
then
# Run the bash script located within the Ubuntu 22.04 directory:
source ./ubuntu-22.04/script.sh
elif [ "$(lsb_release -rs)" == "18.04" ]
then
# Run the main python script located within the Ubuntu 18.04 directory:
python3 ubuntu-18.04/main.py
else
# If no match found, run this default script:
source default_script.sh
# Note: you could also use a variable instead of grabbing the release version, or you
# could grep for the description to get the OS instead of just the release number, etc.
fi
If you're writing custom configuration files, that would also be done from within apply
:
mo config-file.template > /etc/configuration
Fetch Apply comes bundled with mo
by default (and it is sourced automatically, so there is no need to source mo
in your apply
file). This allows you to use mustache-style templates with your modules, as demonstrated above. For information on how to format these templates, see the mo documentation.
Most Fetch Apply users treat mo
like a more-powerful version of the cat
command. It is commonly used to read configuration files provided within an operations repository, and then write them to the desired location on a given system.
To write a basic configuration file to a desired location, all of the following commands would be functionally identical:
cp example.conf /etc/example.conf
cat example.conf > /etc/example.conf
mo example.conf > /etc/example.conf
However, where mo
differs from cat
, is that it allows for more-advanced mustache-style templates to be used. These templates can contain variables, loop over arrays, and more.
Note: While mo
does come built-in for convenience, it is not required, and any of the alternate commands listed above would work just as well, if you don't need bash templating functionality.
The final consideration to make when creating or updating your modules is how you would like them to run. By default, each applicable module will be executed every time Fetch Apply runs. For the vast majority of users, this is best practice. It allows you to ensure that your system will always maintain the desired state. For example, if you upgrade a package and accidentally choose to install the package maintainer's default version of the configuration file, instead of keeping your custom version, Fetch Apply will automatically correct this error the next time that package's module runs. The same goes for any other tinkering that may occur on your system, allowing Fetch Apply to automatically reset and maintain firewall rules, always rotate log files, consistently send out scheduled emails, etc. By enforcing your system's state through consistently-executed Fetch Apply modules, you ensure that no permanent changes happen to parts of your system for which you've written a module, unless those changes are committed to your operations repository. This means that you will always have a timestamped, user-attributable, complete version history of all changes to your system, aiding with compliance, error identification and recovery, and more. That being said, there are some users for whom this approach doesn't work. These users may be working in high-availability environments, have modules that cannot be efficiently executed, and/or need the flexibility to make persistent changes in their environments for extended periods of time, before committing them to the operations repository. In these cases, Fetch Apply includes two settings in its configuration file which may be activated to better suite the needs of these types of environments. The first setting, fa_var_EXECUTE_ON_CHANGE
, when set to true
, will automatically check the remote origin of the operations repository for any changes since the last time Fetch Apply was run. If no changes are found, then no operations (initializers, modules, or patches) will be run. On the other hand, if any updates have been made to the repository, then all operations (all applicable new initializers, modules, and new patches) will be run. The second setting, fa_var_EXECUTE_IF_MODIFIED
, when set to true
, takes the previous setting a step further, and will only execute the specific operations that have been modified since the last time Fetch Apply was run, if any. This means that only new initializers, new or modified modules, and new patches will be executed. Be careful when activating this setting immediately after installing Fetch Apply, because none of the assigned modules will run on that system until they have been updated in the operations repository's remote origin.
A role is a group of modules that frequently work together towards completing a general goal, or have some sort of relationship with one another. Roles are made by creating a file within the roles
directory and listing, one module per line, the name of each module that makes-up that role. The name of the file created in the roles
directory will be the name of that new role.
For example, to create a "security" role, we would create a file named security
within the roles
directory, and then add all of our security-related modules to it, as such:
nftables
sshd
fail2ban
motd
To apply a role to a class or host (and therefore, by extension, run all of the role's modules on the applicable class/host system(s)), simply include the name of the role (or list one name per line, if assigning multiple roles) to the roles
Special File in the desired class or host directory.
Patches are "quick and dirty" scripts that are designed to be run first, but only once, on an applicable system. Their goal is to apply quick fixes and modifications to alleviate security issues or correct unexpected bugs that could not be planned for ahead of time (i.e. mitigated during initialization) and must be fixed in a one-off manner (i.e. cannot be included as part of an idempotent module).
Patches can be deployed by creating a patches
directory within the class or host directory that you would like to apply the patch to, and then adding a patch in the form of a Bash script within that directory. A host will immediately attempt to execute any new files found within a patches
directory applicable to that host. This means that you may name your patches whatever you'd like (as long as each patch's name is unique across all patches
directories that may apply to a host)... however it also means that you may not include supporting files directly within the patches
directory. Instead, a subdirectory (inside of the patches
directory) should be made for each patch file that relies upon supporting files, and then those supporting files should be placed in that subdirectory. All patches will be run from the context of the containing patches
directory, meaning that relative paths may be used in your code. Although patch scripts must be written in Bash, just like with modules, it's perfectly valid to just use a patch file to run a script (included as a "supporting file") in another language, or to execute a binary.
Unlike initializers and modules, which are meant to be well-developed and modified/optimized over time, patches are designed to provide quick, one-time fixes. For that reason, once a patch has been run, Fetch Apply will never run that patch again. By design, all new patches need to be represented by separate files. Simply modifying a current patch file that has already been run by Fetch Apply will not work, and will not result in that updated code being applied. For compliance and troubleshooting purposes, most organizations retain all of the files in their patches
directories for at least six months, keeping the patches easily and readily accessible. Because patches are usually retained for a class, the first time Fetch Apply is installed and run on a system, it will automatically mark any already-existing patches as completed, so that they will not be applied to the new system. It is assumed that whatever the issue was that required a patch in the first place, is resolved before a new system is stood up. Therefore, the fa status
command will still list old, applicable patches as having been applied. If you need to apply an old patch to the new system, you will need to copy it (with a new name) to the patches
directory for that specific host.
You are welcome to delete a patch at any point, however make sure that the deletion has time to sync with the Fetch Apply instances on all applicable systems before creating a new patch with the same name, otherwise the new patch will not be run. Similarly, make sure that any patch you create has enough time to sync and be executed on all applicable Fetch Apply instances, before deleting it. With a default installation (designed to automatically run Fetch Apply once every 24 hours), you should plan for a sync time of at least 24 hours (unless you manually run Fetch Apply from all applicable systems sooner).
Note: just like with Special Files, class patches may be ignored/overridden for a specific host by including the patches
directory and an override
file in the host directory.
This is an overview of an example "operations" repository for a small organization with the following systems:
- Webservers
ws01.example.com
nyc-ws02.example.com
StaticWS.cdn.example.net
new-webserver.example.com
- Database Servers
db01.example.com
db-backup.example.com
- DNS Servers
primary-dns.example.com
secondary-dns.example.com
Example content that an administrator may include in a very basic operations repository for the above organization:
operations/ ----------------------------> The base, operations repository
├── classes/ ---------------------------> The classes directory
│ ├── db/ ----------------------------> A class directory whose contents will apply to all database servers
│ │ ├── initializers ---------------> List of initializers to apply to the database servers
│ │ ├── modules --------------------> List of individual modules to apply to the database servers
│ │ ├── roles ----------------------> List of roles to apply to the database servers
│ │ └── variables ------------------> Contains the non-global variables specific to the database servers
│ ├── dns/ ---------------------------> A class directory whose contents will apply to all dns servers
│ │ ├── initializers ---------------> List of initializers to apply to the dns servers
│ │ ├── modules --------------------> List of individual modules to apply to the dns servers
│ │ ├── primary-dns.example.com/ ---> A host directory whose contents will only be applied to the specified host
│ │ │ └── patches/ ---------------> A patches directory containing patches to be executed just for this host
│ │ │ ├── fix-record ---------> A patch written in bash that will be executed, because it is a file
│ │ │ └── fix-record-files/ --> A directory corresponding to the above patch, containing its supporting files
│ │ │ └── example.com.db -> Supporting files for the patch, which are not meant to be directly executed
│ │ └── roles ----------------------> List of roles to apply to the dns servers
│ └── ws/ ----------------------------> A class directory whose contents will apply to all webservers
│ ├── assignments ----------------> An assignments file to explicitly assign new-webserver.example.com to this class
│ ├── initializers ---------------> List of initializers to apply to the webservers
│ ├── modules --------------------> List of individual modules to apply to the webservers
│ ├── patches/ -------------------> A patches directory containing patches to be executed for all webservers
│ │ └── restart-nginx ----------> A patch that will be executed, because it is a file directly under the patches directory
│ ├── roles ----------------------> List of roles to apply to the webservers
│ └── StaticWS.cdn.example.net/ --> A host directory whose contents will only be applied to the specified host
│ ├── initializers -----------> List of initializers to apply only to this host
│ └── override ---------------> Flag to make any included files override (instead of supplement) those in the ws class
├── initializers/ ----------------------> The initializers directory, containing any initializers and their supporting files
│ ├── db -----------------------------> An initializer to be run on database servers (when listed in the db class's initializers file)
│ ├── django-ws ----------------------> An initializer designed to be run on the dynamic webservers
│ ├── dns ----------------------------> An initializer designed to be run on the dns servers
│ ├── server -------------------------> A basic initializer designed to be run on all servers
│ └── static-ws ----------------------> An initializer designed to be run only on the static webserver
├── modules/ ---------------------------> The modules directory, creating all modules (code meant to be run regularly)
│ ├── nginx/ -------------------------> A module named "nginx", which will be run when listed in a modules or (activated) roles file
│ │ ├── apply ----------------------> The Bash script within a module that Fetch Apply will execute when that module is run
│ │ ├── nginx.conf -----------------> A supporting file within the module (in this case, likely a mo template of the nginx config.)
│ │ ├── variables ------------------> Module-specific variables that Fetch Apply will automatically load when the module is run
│ │ └── website.conf ---------------> A supporting file within the module (in this case, likely a mo template of an enabled site)
│ └── sshd/ --------------------------> A module named "sshd", which will be run when listed in a modules or (activated) roles file
│ ├── apply ----------------------> The Bash script within a module that Fetch Apply will execute when that module is run
│ └── sshd_config ----------------> A supporting file within the module (in this case, likely a mo template of the SSHd config.)
├── roles/ -----------------------------> The roles directory, defining all roles that can be activated via a class's/host's roles file
│ ├── core-maintenance ---------------> File that defines a role named "core-maintenance" that lists all modules belonging to this role
│ ├── db-maintenance -----------------> File that defines a role named "db-maintenance" that lists all modules belonging to this role
│ ├── dns-maintenance ----------------> File that defines a role named "dns-maintenance" that lists all modules belonging to this role
│ └── ws-maintenance -----------------> File that defines a role named "ws-maintenance" that lists all modules belonging to this role
└── variables --------------------------> The global variables file, containing variables that will be loaded for all hosts
14 directories, 32 files